Hi all,
i'm about to learn it the hard way, what there have been major changes in 5.2.
I'm following this guide: https://www.youtube.com/watch?v=lqYbNqZSPRA
I understand that there is only one policy needed now, allowing remote clients to connect to the corporate network. However, my client are now bound to the tunnel, and can not surf internet oder do email while beinig connected.
I believe this has somehting to do with "enable split tunneling" in SSL-Portal configuration. When i try to enable split tunneling, the forti unit checks and gives back:
Failed to save portal. Split tunneling cannot be enabled since IPv4 policy #3's destination address of "all" would be invalid for user/group "sslvpn" (as defined in the SSL-VPN Settings Authentication/Portal Mapping).
policy 3 is "ssl.root to lan"
to keep it simple:
how can i have my clients using fortclient to dial in (not the webaccess / webportal) and to connect to corporate network while being able to broesw the internet through their own internetconnection (and not using the corporates' one through the tunnel)?
thanks a lot in advance
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
You are on the right track,
The policy you have created:
ssl.root -> LAN needs to have destination address other than "ALL".
ssl.root -> LAN -> Destination Address (for example 192.168.1.0/24)
Then you can set the split-tunneling in the ssl vpn settings.
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
Hi Selective,
thanks, changing the destination did the trick to be able to enable split-tunnel.
However, i have still no internet accss on the client while connected through VPN. I have serious problems here :) Is there any documentation with "daily cases" like having remote works dial in and still let them stay online? documentation fortigate always had in the past? I miss creating a "firewall" or "SSL-VPN" policy for example, i'm totall lost. no routing, nothing works in 5.2, the way it was.
thank you.
There could be a lot of things,
What network are you pushing out to your clients ?
DNS settings ?
best would be to post your config,
SSLVPN is a lot easier now in 5.2 ;)
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
Posting the config maybe a little too much i believe but thanks. The machine is naked but i will put it productive on thursday, with 5.0.10 i believe.
Yes i have heared that 5.2 should have made this and stuff easier. But if you did it the other way around for some years... err
What network? i use the given 10.2xx.x.x for the ssl-vpn clients
dns currently not important.
I found this here:
http://mirazon.com/fortios-5-2-update-ssl-vpn-configuration-on-fortigate/
If you may have a look? Is this the way to go?
I have no routing adress for example edited on my machine currently, like in this link pointed out. I believe a static route to ssl-root was in lower fortios 5.2 always given, too(?). I have no static route in 5.2. The one i created made things worse...
So status: VPN connection through Client works, i can ping the LAN but the client is VPN-Network-Only.
Thank you
Yes, that looks like a good link.
Follow it and replace with you settings/network.
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
Hi again,
ok, split tunnel is working and i can access protected lan through the tunnel (RDP), i just get no traffic back to the client (no ping answer from a server in corporate network coming back).
The static route points to the sslvpn clients' adress range and to the ssl.root device.
the attached policy-screenshot looks ****, but it's what results as i followed the manual on http://docs.fortinet.com/uploaded/files/1952/fortigate-sslvpn.pdf
page 27 (ssl-vpn-security policy and matching tunnel mode security policy)
i have no 2 networks like stated in this link http://mirazon.com/fortios-5-2-update-ssl-vpn-configuration-on-fortigate/
--> "Local subnets should be set to 10.32.250.0/24 and 10.32.251.0/24."
because i don't understand it.
i have one protected (corporate) network 192.168.2.x and the sslvpn-clients are in many different LAN
i guess the problem is all the policy: lan >> back to the vpn-client ?
anyone point out my mistake? thanks
I can see that you have added the SSLVPN group to the policy LAN -> ssl.root and that is wrong.
The group should only be on your ssl.root -> LAN
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
yes you are right, i already deactivated this one. still same behaviour
ok, solution:
(this really is a tough one)
it all came down to this bug here:
yet i did the upgrade path 100%:
Firmware upgrade: v5.0,build4225 (GA) FGT30D-5.00-build179 -->
FGT_30D-v500-build0228-FORTINET.out v5.0,build0228 (GA Patch 4) -->
FGT_30D-v500-build4459-FORTINET.out FGT30D-5.00-build271 -->
FGT_30D-v5-build0305-FORTINET.out FGT30D-5.00-build305 -->
FGT_30D-v5-build0642-FORTINET.out v5.2.2,build642 (GA)
annoying
Thanks for your help.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.